X-Git-Url: https://git.realraum.at/?a=blobdiff_plain;f=ansible%2Froles%2Fbase%2Ftasks%2Fmain.yaml;fp=ansible%2Froles%2Fbase%2Ftasks%2Fmain.yaml;h=1e53273b4afec27d87de9100b1ef1b18c6b272ac;hb=d9a3cc9eb4fcbab709d6be1ea5b46dfdd88e48cc;hp=7f60b4e0f6adca460eedf8a3be232f66d0dc97af;hpb=be1c3ad2873ed6353cc57de5506e66b3a009cfba;p=noc.git

diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml
index 7f60b4e..1e53273 100644
--- a/ansible/roles/base/tasks/main.yaml
+++ b/ansible/roles/base/tasks/main.yaml
@@ -6,20 +6,42 @@
      line: "PermitRootLogin without-password"
   notify: restart ssh
 
-- name: limit allowed users (1/2)
+- name: limit allowed users (1/3)
   lineinfile:
      dest: /etc/ssh/sshd_config
-     regexp: "^AllowUsers"
+     regexp: "^#?AllowUsers"
      line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([]))) }}"
-  when: sshd_allowusers_set | default(true)
+  when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
   notify: restart ssh
 
-- name: limit allowed users (2/2)
+- block:
+    - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^AllowUsers"
+        state: absent
+
+    - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^#?AllowGroups"
+        line: AllowGroups {{ sshd_allowgroup }}
+
+    - name: "limit allowed users (2/3): Add allowed users to ssh group"
+      user:
+        name: "{{ item }}"
+        groups: "{{ sshd_allowgroup }}"
+        append: True
+      with_items: "{{ [ 'root' ] | union(sshd_allowusers_group | default([])) | union(sshd_allowusers_host | default([])) }}"
+
+  when: sshd_allowgroup is defined
+
+- name: limit allowed users (3/3)
   lineinfile:
      dest: /etc/ssh/sshd_config
-     regexp: "^AllowUsers"
+     regexp: "^Allow(Users|Groups)"
      state: absent
-  when: not sshd_allowusers_set | default(true)
+  when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
   notify: restart ssh
 
 - name: Set authorized keys for root user